Post-Travel Device Forensics

Post-Travel Device Forensics #

  • Thesis ID: 25-03
  • Research Proposal: Post-Travel Device Forensics: Developing a Procedure to Detect Tampering and Compromise After Border Crossings
  • Collaboration company/organization: -

Abstract #

When laptops, mobile phones, or other digital devices travel abroad—particularly across hostile jurisdictions or high-risk borders—they may be subjected to tampering, surveillance implants, or malware installation. Security researchers, journalists, diplomats, and business travelers face the risk of their devices being compromised through border device searches, temporary confiscation, or covert manipulation.

While security guidelines (e.g., “travel laptops” or “clean devices”) exist, there is a lack of standardized post-travel forensic methodologies to systematically evaluate whether a device has been altered after returning from abroad. Developing such a procedure is critical for protecting sensitive data, preventing supply chain infiltration, and improving digital security practices.

Details

1. Research Problem #

The main problem this project addresses is the absence of a reliable, replicable process to examine devices post-travel for signs of tampering—whether hardware (e.g., implants, altered firmware) or software (e.g., malware, persistence mechanisms).

2. Research Objectives #

  1. Develop a forensic examination framework tailored to devices that may have been exposed during international travel.
  2. Identify forensic indicators of tampering, including hardware implants, OS-level modifications, persistence techniques, and network beaconing.
  3. Create a repeatable procedure that organizations can adopt to verify the integrity of laptops, smartphones, and other portable devices after they return from abroad.
  4. Evaluate detection effectiveness using simulated tampering scenarios in a controlled lab environment.

3. Methodology #

  • Literature and Threat Landscape Review: Survey known techniques for border device compromise (malware injection, bootloader tampering, firmware reflashing, hardware implants).
  • Testbed Setup: Prepare laptops and smartphones with baseline forensic images.
  • Tampering Simulation: Introduce controlled compromises (malware installation, altered configurations, hardware modifications) to simulate border attacks.
  • Forensic Analysis: Apply memory forensics, file system analysis, boot/firmware integrity checks, and network monitoring to detect anomalies.
  • Procedure Development: Formulate a step-by-step checklist and workflow for post-travel forensic inspection.
  • Evaluation: Assess procedure effectiveness (detection rate, false positives/negatives) and feasibility (time, cost, required expertise).

4. Expected Contributions #

  • A practical forensic procedure for detecting tampering in devices after border crossings.
  • Identification of key forensic artifacts and IoCs related to device compromise abroad.
  • A reference framework organizations can adopt for journalists, businesses, and government entities.
  • Recommendations for future-proofing digital travel security practices.

5. Tentative Timeline (6–9 Months) #

  1. Months 1–2: Literature review, threat modeling, testbed setup.
  2. Months 3–4: Controlled tampering experiments, forensic imaging, data collection.
  3. Months 5–6: Procedure development and refinement.
  4. Months 7–8: Evaluation of detection capabilities, case studies.
  5. Month 9: Final documentation and thesis writing.

6. References #